On October 15, 2024, the United States Department of Defense (DoD) published the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0, signaling a new era in cybersecurity compliance for defense suppliers.  

CMMC 2.0 came with a raft of changes, including reducing the compliance maturity levels from five in CMMC 1.0 to three. The new program also mandates third-party assessments for Levels 2 and 3, with Level 1 businesses required to self-affirm their compliance status annually.  

But perhaps the most notable reform to the CMMC framework is the introduction of mandatory compliance for all defense contractors. Unlike CMMC 1.0 which focused on prime contractors, the new program requires all Defense Industrial Base (DIB) companies to attain compliance under their respective maturity levels.  

Wondering if these regulations apply to your business? Read on to find out the various entities that must meet the CMMC compliance guidelines.  

 What Is CMMC?

CMMC, short for Cybersecurity Maturity Model Certification, is a program created by the U.S. Department of Defense to enforce cybersecurity compliance for all defense contractors.  

To obtain CMMC compliance, you must meet several security protocols under your respective CMMC levels.  

As mentioned, CMMC 2.0 has three maturity levels. Each has a set of cybersecurity controls and procedures that organizations seeking CMMC compliance (OSCs) must satisfy.  

CMMC Level 1 mandates compliance with 15 requirements that align with the Federal Acquisition Regulation (FAR) clause 52.204-21. Organizations must self-assess and confirm their compliance status annually. 

Level 2 businesses must satisfy 110 security controls contained in NIST 800-171. This level also requires triennial assessments led by third-party assessment organizations (C3PAOs). 

The most advanced CMMC maturity level – Level 3 – mandates compliance with all 110 security protocols in NIST 800-171 plus 24 controls from NIST SP 800-172.  

What Information Does CMMC Seek To Safeguard?

The CMMC framework primarily targets two classes of sensitive information. They include Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  

Both FCI and CUI are generated by or on behalf of the government. The two information classes are also sensitive and require proper safeguards while handling, storing, or disseminating.  

However, FCI is typically meant for consumption by individual contractors while CUI may be released to the general public under special circumstances. That distinction implies that CUI requires more layers of protection than FCI.  

Examples of controlled unclassified information include personally identifiable information like social security numbers and critical infrastructure information like military installations.  

FCI encompasses things like private DoD correspondences, blueprints of defense buildings, charts of military training grounds, etc. 

CMMC Versus NIST

All three CMMC Levels borrow heavily from NIST. However, the two frameworks are quite distinct from each other.  

Short for the National Institute of Standards and Technology (NIST), NIST outlines the general guidelines for safeguarding controlled unclassified information. Meanwhile, CMMC builds upon NIST standards to enforce cybersecurity compliance for defense contractors.  

CMMC also differs from NIST in who the programs target. While NIST requirements have been widely adopted by several federal agencies, CMMC specifically targets defense industrial base companies.  

Besides, CMMC requirements are mandatory for aspiring defense suppliers whereas NIST standards are optional.  

Another key distinction between CMMC and NIST relates to the scope of Plan of Action & Milestones (POA&M). CMMC Level 2 imposes limitations for POA&Ms, whereas NIST 800 171 has no such restrictions.   

CMMC Versus FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide cybersecurity program developed to assist federal agencies vet and select cloud service providers (CSPs). Again, the principal difference is who each cybersecurity framework targets.  

While CMMC is unique to the DIB ecosystem, FedRAMP applies to all government agencies.  

But despite these distinctions, CMMC and FedRAMP both play a critical role in safeguarding federal supply chains.  

Who Was CMMC Designed For?

1. DIB Entities

The defense industrial base is a vast network of entities that provide essential services to the U.S. Department of Defense. This ecosystem encompasses both public and private entities, each of which plays a pivotal role in supporting the DoD’s operations.  

DIB companies offer a range of services, from manufacturing to software development, equipment maintenance, and even property renovations. Others include product research, logistics, and consultancy.  

Now, the defense industrial base sector comprises over 100,000 businesses and the number is constantly growing. Therefore, it would be extremely challenging for the DoD to manually track cybersecurity compliance across the vast network.  

CMMC was developed to ease that burden. The program enforces cybersecurity via certification, ensuring every DoD supplier plays their role in threat monitoring.  

By mandating compliance for all existing and prospective defense contractors, the DoD can effectively avert cyber risks aimed at its own supply chain.  

2. Prime Contractors

A prime defense contractor is an entity that enters into direct contractual engagements with the Department of Defense.  

These contractors bear a greater burden of responsibility when it comes to safeguarding the defense supply chain. So, strict CMMC compliance is paramount.  

Examples of prime DoD contractors include Lockheed Martin and Boeing. The two companies account for the bulk of defense tenders, which means they handle a significant amount of FCI and CUI.  

Other major defense suppliers include General Dynamics, BAE Systems, and Northrop Grumman.   

As prime contractors engage directly with the DoD, they may come into possession of highly sensitive information. Whether it’s FCI or CUI, the contractor must safeguard such information from unauthorized access.  

Prime contractors must establish proper assets for storing federal contract information. Access to such data would then be highly restricted, ensuring only privileged employees can interact with the information.  

For CUI, prime contractors must implement the necessary safety protocols to ensure the disseminated information doesn’t end up in wrong hands and potentially jeopardize national security.  

Indeed, recent cyber events like the Solar Winds Attack have underscored the need for safeguarding the defense supply chain.  

3. Subcontractors

One significant reform to the previous CMMC iteration was the introduction of mandatory compliance for all defense contractors. That includes both prime and subcontractors.  

Subcontractors are entities that work for prime contractors. They may also be employed by other subcontractors.  

Subcontractors don’t contract directly with the Department of Defense. However, that doesn’t spare them from CMMC obligations.  

When a prime defense contractor secures a tender and chooses to hire someone else to undertake the assignment, the prime contractor must cascade the CMMC requirements to the subcontractor. The implication is that the other company would need to fulfil all CMMC protocols just as the prime contractor would.  

Assume that your business handles controlled unclassified information. In that case, you must obtain Level 2 CMMC certification to win a defense contract.  

Now, the DoD mandates all Level 2 compliance audits to be spearheaded by CMMC third-party assessor organizations (C3PAOs). Therefore, all your subcontractors would need to schedule C3PAO-led assessments and obtain Level 2 certifications to fulfill the contract.  

4. External Service Providers

Not to be confused with subcontractors, external service providers (ESPs) are entities that offer specific services that prime contractors require to deliver on their contractual obligations.  

The new CMMC framework has an ‘External Service Provider Considerations’ section. According to the program, an ESP can be subject to CMMC’s requirements if they meet the minimum criteria for CUI Asset or Security Protection Asset.  

Simply put, your ESP must comply with relevant CMMC controls if they maintain log and configuration data to your organization’s CUI assets.  

Level 2 certification is the default requirement for most ESPs, although this will depend on the specific information class your business handles. 

How to Obtain CMMC Certification

1. Understand the Information Your Business Handles

The CMMC framework principally targets federal contract information and controlled unclassified information. While most DIB businesses handle both types of sensitive information, some only process FCI.  

Go over your defense contracts to establish which information class applies to your company.  

2. Determine the CMMC Level to Seek Certification For

The three CMMC levels target different types of defense suppliers. While Level 2 compliance is mandatory for Level 3 certification, it’s prudent to analyze each maturity level separately as they deal with different types of information.  

You’ll require CMMC Level 1 compliance if your business only handles federal contract information. Meanwhile, Level 2 and 3 certifications are mandatory for companies that process controlled unclassified information.  

If you’re a new defense supplier only handling Federal Contract Information, it would be best to prioritize Level 1 compliance. 

3. Conduct a Gap Analysis

A gap analysis is a critical process in CMMC compliance assessment and the eventual certification. It involves scoping your organization’s information storage assets for FCI and CUI.  

To effectively conduct a gap analysis, scour the length and breadth of your data storage systems. Those include the physical contract forms, hardware assets (such as hard drives and SD cards), and software platforms like cloud storage. 

4. Prepare a System Security Plan (SSP)

A system security plan is an elaborate document that details the plans your company has put in place or intends to implement to address the security weaknesses uncovered during the previous audits.  

Core SSP components include the identified risks, remediation measures, and responsible personnel.  

An SSP is commonly prepared alongside a Plan of Action & Milestones, which spells out the procedures for remediating the deficiencies within specific timelines.  

Unlocking CMMC Compliance Benefits With Early Adoption

Although the Cybersecurity Maturity Model Certification was rolled out in phases with full implementation poised to take effect in 2028, there are multiple benefits to enjoy for early adopters.  

CMMC compliance provides a competitive edge when bidding for defense vendors. Besides, it enables you to boost your organization’s cyber hygiene and build a solid reputation with your stakeholders.  

Kick-start your CMMC compliance journey today by partnering with a trusted cybersecurity compliance agency. An experienced CMMC assessor will leverage their expertise to help you navigate common compliance pitfalls, accelerating the process.